Software developers sometimes struggle with how to integrate Intel AMT/vPro commands into their Management Consoles, since most environments have a mix of Intel AMT and non AMT clients, the first step is to identify the manageable devices and their current state.
There are two modes of Intel AMT - Intel Standard Manageability (ISM) and Intel vPro and each generation has added features. Discovery must identify the Intel AMT devices and its current configuration state (ProvisioningState, sleep state and OS) before a management console can take advantage of the remote manageability features that Intel AMT has to offer.
Note: This blog will cover Windows only.
Discovery Process
There are at least three processes that will perform a discovery of Intel AMT devices running Windows*.
- Tools from Intel SCS - systemdiscovery.exe or acuconfig.exe
- Tools from the Intel AMT SDK: RMCP Ping
- Custom Tools made from the Intel AMT SDK - WMI Provider or Intel HLAPI
Depending on which tool is used and the system’s configuration state, the discovery process can be run locally or remotely,
Local Discovery: Local discovery can be performed at the system or by pushing a script out to the system. This method uses the Windows OS drivers to communicate with the firmware, which generates the requested data. Each target system must be powered up into a running Windows state (s0) with the MEI driver and LMS service (Intel Management and Security Application Local Management Service) running. The system does NOT have to be provisioned yet to supply the requested configuration data.
Note that systems that are not Intel AMT capable will not have a provisioning state.
Remote Discovery: is performed via a remote network query of the Intel AMT firmware and the system can be in any sleep state, but is subject due to the client being configured or not the results will very. This method assumes they system is Intel AMT Capable as it will attempt to do this discovery "out of band", meaning the system does not need to be operational.
Using the Data to Determine Capabilities
Once the tool of choice has collected the data, the information needs to be returned to a management server for further processing in order to determine a device's feature-set.
Regardless of the discovery method used, a few key data points are required to determine features and the configuration potential of a given device. The firmware needs to return the following information:
ProvisioningState, ME Firmware version and Intel AMT SKU
- ProvisioningState can be Pre, Post, In, or Unknown
- Pre (configuration): the firmware can only reply when through a running OS. The firmware version and provisioning state will be sent in reply to an RMCP Ping.
- Post (configuration): The firmware is configured to communicate on the network, so a remote connection to the Firmware is possible regardless of sleep state.
- In: the firmware is in the process of being configured
- Unknown: Will be returned for Intel AMT 5.1 and older clients
- ME Firmware Version is used to determine various levels of Intel AMT Features supported such as:
- Host based Provisioning (Client Control Mode) available - Intel AMT 7.x
- Intel AMT KVM compatible - Intel AMT 6.x and above, Only available on full vPro technology systems
- AMT SKU: Value can be AMT (full vPro), Standard Manageability (limited features), and SBT/SBA (not configurable)
Using Pre-existing Intel AMT Discovery Tools
Intel SCS Discovery Tools
Key Resource: Intel Setup and Configuration Software: Intel SCS.
Intel SCS has a pair of tools available that can be used for discovery operations: AcuConfig.exe and SystemDiscovery.exe. Both of these tools yield the same results. They gather information from the firmware and then write that information to the registry and .xml file by default.
Using these tools will result in performing a local discovery action.
Example: >acuconfig.exe systemdiscovery
Creating Custom Discovery Tools
Key Resources:
If none of the above provide the flexibility that you need, discovery tools can be created that will allow full control of the operation, including local or remote - although remote discovery requires that the system be configured.
There are two main methods of crafting a custom discovery tool:
Intel WMI Provider:
Use of the WMI provider allows for use of WS-Management commands and is documented in the Intel AMT Implementation and Reference Guide. The use of this method allows for flexibility in the design of the code for a given project.
There is a code sample named SystemProperties.vbs, in the Intel AMT SDK files after installation at: \Windows\Intel_AMT\Samples\WMI
Writing code for Intel AMT is not always straight-forward and requires extensive knowledge of the usage of CIM objects and the differences between Intel AMT releases. These challenges can be addressed by the use of the AMT HLAPI (High Level API) SDK, which is discussed next.
Intel AMT HLAPI:
Like using the above Intel AMT SDK samples, the Intel AMT HLAPI library can be used to create custom tools.. The Intel AMT HLAPI provides an easier development process, because commonly used features have been streamlined, increasing your efficiency while decreasing your time required for development.
In order to implement Intel AMT Discovery, the primary API is the Discovery API. The application using HLAPI creates an object for each target system, using the AMTInstanceFactoryCreate and the IAMTInstance interface. Upon connection, read the values and decode using HLAPI.GeneralInfo.SKU
Determining the feature set of the device
Now that you have the data from your systems, the question is how to use that information. At minimum, filter on the following physical characteristics and xml tags. Values that don't match means the system is not configurable.
Note: This presentation assumes use of the command: acuconfig.exe systemdiscovery.
Key Characteristics:.
- CPU (not provided by acuconfig.exe): Only core i3, i5, i7, core M and Xeon are potentially configurable.
- LMS.exe service. This is the WMI Provider that lets the discovery tools communicate with the system firmware. May not be installed if a custom driver image is used. Can be obtained by downloading the MEI driver package from the OEM website. Tip: generally classified as a "Chipset Driver" by the OEM's.
- To determine if the LMS.exe is running, look for the service or by parsing the verbose output log of acuconfig.exe.
- IsMEIEnabled. Set by the system manufacturer, value must be True for AMT to work. Value is from the generated XML and is not dependent on LMS.exe.
- IsAMTEnabledInBIOS. Must be set to true. Some OEM's allow Intel AMT to be disabled in the BIOS, requiring it be enabled in the BIOS to activate Intel AMT. Value is from the generated XML and is dependent on LMS.exe
- AMTSKU which can be Intel Standard Manageability (ISM) or Intel Full AMT (vPro) or Small Biz (SBA). This value will declares the feature set. Value is from the generated XML and is dependent on LMS.exe.
Summary
Performing a discovery for a device isn't necessarily difficult or complex, however it does take some planning on the part of the developer. There are existing tools, or you can create custom tools or just add a few additional commands to whatever inventory agent is already running on the management console.
Other Resources
I have written some other blogs on Intel AMT to help with basic enabling tasks.
Icon Image:
Clik here to view.
